Regression #16074
closed
States view doesn't populate Rule ID field if opening a new tab
0%
Description
There is an inconsistency when viewing the Diagnostics > States page. For example, on the Firewall > LAN page, when I right click and open the link in a new tab it goes to URL https://FQDN/diag_dump_states.php?ruleid=123,124.
Using a new tab like this, the "?ruleid=123,124" remains visible in the URL and the page does not auto-populate the "Rule ID" field, thus shows all open states.
If I just click the link, the browser navigates to https://FQDN/diag_dump_states.php without a querystring, but the "Rule ID" field is correctly populated.
I think I've noticed this for a while but finally figured out the pattern today. I assume it affects CE but we only have Plus and have 24.11 on the two routers I checked.
I would guess the click is POSTing and PHP isn't processing the variable as a GET, though didn't look into it.
Note the URL visible in the HTML does actually show the querystring:
<a href="diag_dump_states.php?ruleid=123,124" data-toggle="popover" data-trigger="hover focus" title="" data-content="Tracking ID: 1770009182<br />evaluations: 21.004M<br />packets: 0<br />bytes: 0 B<br />states: 0<br />state creations: 0" data-html="true" usepost="" data-original-title="States details">0/0 B</a>
Updated by Jim Pingle about 2 months ago
- Status changed from New to Not a Bug
It's not a bug. Clicking the link is the only intended behavior there as that specific link has the usepost attribute which causes it to submit the request as if it was a POST from a form. Using GET parameters is less secure and we've been trying to eliminate as much of that as possible since relying on GET is a security concern for multiple reasons (e.g. CSRF in this case). Unfortunately, there isn't a good way to make a browser not open a new tab when you tell it to do that, and it bypasses the code intended to handle the link.